Powershell Deobsfuscation Ep.7

Question

&nbsp;I first collected the .ps1 script&nbsp;and noticed that it is from hexafter decoding from hex&nbsp;&nbsp;I noticed that it converts from decimalsThis led me to use the from the from decimal recipe from CyberchefHowever, this led me towards only the decoded eding of the script itself.with the main obfuscated payload being empty.&nbsp;I am wondering about where I am going wrong in my thought process.

samdickison · Answer

It looks like you're on the right track by identifying the layer of decimal conversion, but running the From Decimal recipe on the entire PowerShell wrapper script is causing CyberChef to break or output empty data.
To proceed, look closely at how the script handles the massive data arrays—specifically the strings broken into sections like 1: [STRING]::Join(...) and 2: [STRING]::Join(...). You need to isolate just the raw, comma-separated decimal numbers of the main payload from those specific variables, strip out the PowerShell code, and pass only those numeric values into your CyberChef recipe.

Forum Discussion

Powershell Deobsfuscation Ep.7

1 Reply

Featured Places

Help

Related Content

Powershell Deobsfuscation Ep.7

Powershell Deobsfuscation Ep.7

Powershell Deobsfuscation Ep.7

Assistance: PowerShell Deobfuscation: Ep.4 - Logical and Structural Obfuscation - Question 7

SuperSonic: Ep.7 – LIFTON

Recent Discussions

Microsoft Sentinel SOAR :Demonstrate ypur skills

Ransomware: TeslaCrypt - Stuck at Last Question

PowerShell Deobfuscation – Challenge 8

Microsoft Sentinel SOAR :Demonstrate your skills

Powershell Deobsfuscation Ep.7